Fwd: Re: Quasi-enterprise WiFi network
Victor Sudakov
vas at mpeks.tomsk.su
Sun Jan 14 06:31:51 UTC 2018
Marek Zarychta wrote:
> On Sat, Jan 13, 2018 at 06:07:39PM +0700, Victor Sudakov wrote:
> > Eitan Adler wrote:
> > > >
> > > >
> > > > Are there any network experts willing to look at the dump of RADIUS
> > > > traffic at http://noc.sibptus.ru/~sudakov/radius.pcap ?
> > >
> > >
> > > >From wireshark: PEAP / EAP-MD5-CHALLENGE
> >
> > Eitan, do you mean it's EAP-MD5 encapsulated in PEAP (TLS tunnel)?
> >
> > Why is the client not checking the server's certificate authenticity
> > and how do I make the client check it against a CA (if I need to)?
>
> Dear Виктор,
>
> Android client doesn't care for server certificate authenticity, so you
> don't have to install CA certificate, which was probably automatically
> generated by radius and written to file:
> /usr/local/etc/raddb/certs/ca.der
$raddbdir/certs/{server,ca}.pem for the server and CA respectively, if I read
mods-enabled/eap correctly.
>
> Windows and Mac clients do care for it, so the CA cert should be
> installed as a Trusted Root Certificate Authority for these clients.
This is bad news for me. However I'll report here when I have
experimented with different supplicants.
>
> If you want to have 0 problems with Windows clients, I recommend building
> simple captive portal based on PF redirection and simple login page.
There are ready-to-use captive portals in pfSense and m0n0wall (I did
not test the latter though), so I think there is no need for me to code
in PHP or whatever.
What I'm trying to avoid is deploying a dedicated FreeBSD/pfSense box
at remote hotspots. And the TL-WR740N router/AP does not do any traffic
tunneling via a central hub (or I have not found a way to enable it).
Do you know how commercial captive portals handle this problem? Do they
install their own box near every customer's AP?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
AS43859
More information about the freebsd-net
mailing list